Friday, April 17, 2015

Bro IDS SMTP File Extraction

Bro-ids SMTP file extraction script, first attempt:
 
#define list of mime types to extension that we want
global ext_map: table[string] of string = {
        ["application/x-dosexec"] = "exe",
        ["application/zip"] = "zip",
        ["application/msword"] = "xls",
};

event file_new(f: fa_file)
        {

        # if this isn't SMTP, we don't want it
        if ( f$source != "SMTP" )
                return;
        #if it's not a mime type, or it's not in our list we don't want it
        if ( ! f?$mime_type || f$mime_type !in ext_map )
                return;

        local ext = "";

        if ( f?$mime_type )
                ext = ext_map[f$mime_type];

        local fname = fmt("%s-%s.%s", f$source, f$id, ext);
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}